Debian Bug report logs - #343836
(CVE-2005-4348) Security: DoS attack possible - crashes on empty message

version graph

Package: fetchmail; Maintainer for fetchmail is Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>; Source for fetchmail is src:fetchmail.

Reported by: Steve Fosdick <dbugs@pelvoux.nildram.co.uk>

Date: Sun, 18 Dec 2005 03:48:02 UTC

Severity: important

Tags: fixed-upstream, patch, security

Merged with 345944

Found in versions fetchmail/6.2.5-12sarge3, fetchmail/6.2.5.4-1

Fixed in version fetchmail/6.3.1-1

Done: Hector Garcia <hector@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>:
Bug#343836; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Steve Fosdick <dbugs@pelvoux.nildram.co.uk>:
New Bug report received and forwarded. Copy sent to Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steve Fosdick <dbugs@pelvoux.nildram.co.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Security: DoS attack possible - crashes on empty message
Date: Sun, 18 Dec 2005 03:44:41 +0000
Package: fetchmail
Version: 6.2.5.4-1
Severity: important

Wondering why only local mail had arrived in my mailbox for several
days I found from the syslog that whenever fetchmail was started it
got as far as message 46 from my ISPs POP3 server then crashed.

I used telnet to log in to the POP3 server directly and fetched message
46 which seemed to consist only of a single blank line:

RETR 46
+OK

.
DELE 46
+OK

I have been able to work around this by deleting message 46 and it is
now fetching the other messages OK, but clearly someone could plant
such a message in someone's mailbox to disrupt their mail service - a
kind of DoS attack.

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14.4
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-15)

Versions of packages fetchmail depends on:
ii  adduser                       3.80       Add and remove users and groups
ii  base-files                    3.1.9      Debian base system miscellaneous f
ii  debianutils                   2.15.1     Miscellaneous utilities specific t
ii  libc6                         2.3.5-8    GNU C Library: Shared libraries an
ii  libssl0.9.8                   0.9.8a-3   SSL shared libraries

Versions of packages fetchmail recommends:
ii  ca-certificates               20050804   Common CA Certificates PEM files

-- debconf information:
* fetchmail/confwarn:
* fetchmail/systemwide: true
* fetchmail/initdefaultswarn:
* fetchmail/runasroot: false
  fetchmail/fetchidswarn:



Information forwarded to debian-bugs-dist@lists.debian.org, Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>:
Bug#343836; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Matthias Andree <matthias.andree@gmx.de>:
Extra info received and forwarded to list. Copy sent to Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 343836@bugs.debian.org (full text, mbox):

From: Matthias Andree <matthias.andree@gmx.de>
To: Steve Fosdick <dbugs@pelvoux.nildram.co.uk>
Cc: 343836@bugs.debian.org,control@bugs.debian.org
Subject: Re: Bug#343836: Security: DoS attack possible - crashes on empty message
Date: Mon, 19 Dec 2005 00:24:16 +0100
[Message part 1 (text/plain, inline)]
tags 343836 + security
thanks

Steve,

are you using multidrop mode? If so, please test if the attached patch
fixes the bug.  It is an untested backport from 6.3.1-rc1.

If you are not using multidrop mode, please provide your configuration
details (passwords masked!) and a stack backtrace.

-- 
Matthias Andree
[patch-emptymail-segfault.diff (text/x-patch, attachment)]

Tags added: security Request was from Matthias Andree <matthias.andree@gmx.de> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from matthias.andree@gmx.de (Matthias Andree) to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed-upstream Request was from matthias.andree@gmx.de (Matthias Andree) to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: patch, fixed-upstream Request was from matthias.andree@gmx.de (Matthias Andree) to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>:
Bug#343836; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #23 received at 343836@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Matthias Andree <matthias.andree@gmx.de>
Cc: Steve Fosdick <dbugs@pelvoux.nildram.co.uk>, 343836@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#343836: Security: DoS attack possible - crashes on empty message
Date: Wed, 21 Dec 2005 13:12:41 +0100
[Message part 1 (text/plain, inline)]
Matthias Andree wrote:
> are you using multidrop mode? If so, please test if the attached patch
> fixes the bug.  It is an untested backport from 6.3.1-rc1.
> 
> If you are not using multidrop mode, please provide your configuration
> details (passwords masked!) and a stack backtrace.

Thanks a lot Matthias,

The patch does not apply though, since xfree() is unknown in version 6.2.5.
I assume that the xfree only frees the memory when it is not NULL and sets
the variable to NULL again, so the attached patch should do the same and apply
to the version in Debian sarge/etch/sid.

Regards,

	Joey

-- 
Long noun chains don't automatically imply security.  -- Bruce Schneier

Please always Cc to me when replying to me on the lists.
[x (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>:
Bug#343836; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Matthias Andree <matthias.andree@gmx.de>:
Extra info received and forwarded to list. Copy sent to Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #28 received at 343836@bugs.debian.org (full text, mbox):

From: Matthias Andree <matthias.andree@gmx.de>
To: Martin Schulze <joey@infodrom.org>
Cc: Steve Fosdick <dbugs@pelvoux.nildram.co.uk>, 343836@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#343836: Security: DoS attack possible - crashes on empty message
Date: Wed, 21 Dec 2005 17:04:05 +0100
Martin Schulze wrote:

> The patch does not apply though, since xfree() is unknown in version 6.2.5.
> I assume that the xfree only frees the memory when it is not NULL and sets
> the variable to NULL again, so the attached patch should do the same and apply
> to the version in Debian sarge/etch/sid.

Whoops, my apologies. Your assumptions are right, we are using this macro,
which is part of fetchmail 6.2.5.5's transact.c:

#define xfree(p) { if (p) { free(p); (p) = 0; } }

It is perhaps easier to advance to fetchmail 6.2.5.5. The number of changes
is low, and all changes either add documentation or fix important bugs.
While 6.2.5 on Debian may not need the Solaris or gettext build fix of the
day, I haven't yet heard of problems introduced that way. OTOH, I don't know
how many people have gone for 6.3.X right away.

The changelog vs. 6.2.5 is at <http://mandree.home.pages.de/fetchmail/NEWS.txt>

HTH,
Matthias



Information forwarded to debian-bugs-dist@lists.debian.org, Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>:
Bug#343836; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #33 received at 343836@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Matthias Andree <matthias.andree@gmx.de>
Cc: Steve Fosdick <dbugs@pelvoux.nildram.co.uk>, 343836@bugs.debian.org, Debian Security Team <team@security.debian.org>
Subject: Re: Bug#343836: Security: DoS attack possible - crashes on empty message
Date: Wed, 21 Dec 2005 22:03:43 +0100
Matthias Andree wrote:
> Martin Schulze wrote:
> 
> > The patch does not apply though, since xfree() is unknown in version 6.2.5.
> > I assume that the xfree only frees the memory when it is not NULL and sets
> > the variable to NULL again, so the attached patch should do the same and apply
> > to the version in Debian sarge/etch/sid.
> 
> Whoops, my apologies. Your assumptions are right, we are using this macro,
> which is part of fetchmail 6.2.5.5's transact.c:
> 
> #define xfree(p) { if (p) { free(p); (p) = 0; } }

Thanks.

> It is perhaps easier to advance to fetchmail 6.2.5.5. The number of changes
> is low, and all changes either add documentation or fix important bugs.

For sid yes.  For once released Debian versions this is not an option.

Regards,

	Joey

-- 
Long noun chains don't automatically imply security.  -- Bruce Schneier

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org, Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>:
Bug#343836; Package fetchmail. Full text and rfc822 format available.

Acknowledgement sent to Matthias Andree <matthias.andree@gmx.de>:
Extra info received and forwarded to list. Copy sent to Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #38 received at 343836@bugs.debian.org (full text, mbox):

From: Matthias Andree <matthias.andree@gmx.de>
To: Loïc Minier <lool+alioth@via.ecp.fr>, 345944@bugs.debian.org, 343836@bugs.debian.org, control@bugs.debian.org, martin.pitt@canonical.com
Subject: Re: [pkg-fetchmail-maint] Bug#345944: CVE-2005-4348 USN-233-1 fetchmail vulnerability
Date: Wed, 04 Jan 2006 19:07:06 +0100
merge 345944 343836
thanks

This is a duplicate of Bug#343836, merging.

Loïc Minier wrote:

>  Ubuntu released an updated fetchmail package for CVE-2005-4348
>  (attached).

and forwareded:

> ===========================================================
> Ubuntu Security Notice USN-233-1	   January 02, 2006
> fetchmail vulnerability
> CVE-2005-4348
> ===========================================================
>
> [...]
>
> Details follow:
>
> Steve Fosdick discovered a remote Denial of Service vulnerability in
> fetchmail. When using fetchmail in 'multidrop' mode, a malicious email
> server could cause a crash by sending an email without any headers.
> Since fetchmail is commonly called automatically (with cron, for
> example), this crash could go unnoticed.

This is misattributed:
Daniel Drake (Gentoo) had publicly reported the issue on December 5 already,
<http://lists.ccil.org/pipermail/fetchmail-friends/2005-December/009880.html>,
two weeks before Steve Fosdick did.

At that time, a different fix had already been in the upstream fetchmail
CVS, which was in pretest phase for the 6.3.1 release that was released
one day after Steve's report.

The patch that was committed /upstream/ was a variant of
<http://lists.berlios.de/pipermail/fetchmail-devel/2005-December/000585.html>
that left the curly braces in fetchmail. It may not qualify as the
minimum fix though.

-- 
Matthias Andree



Merged 343836 345944. Request was from matthias.andree@gmx.de (Matthias Andree) to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Hector Garcia <hector@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steve Fosdick <dbugs@pelvoux.nildram.co.uk>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #45 received at 345944-close@bugs.debian.org (full text, mbox):

From: Hector Garcia <hector@debian.org>
To: 345944-close@bugs.debian.org
Subject: Bug#345944: fixed in fetchmail 6.3.1-1
Date: Fri, 13 Jan 2006 03:47:06 -0800
Source: fetchmail
Source-Version: 6.3.1-1

We believe that the bug you reported is fixed in the latest version of
fetchmail, which is due to be installed in the Debian FTP archive:

fetchmail_6.3.1-1.diff.gz
  to pool/main/f/fetchmail/fetchmail_6.3.1-1.diff.gz
fetchmail_6.3.1-1.dsc
  to pool/main/f/fetchmail/fetchmail_6.3.1-1.dsc
fetchmail_6.3.1-1_i386.deb
  to pool/main/f/fetchmail/fetchmail_6.3.1-1_i386.deb
fetchmail_6.3.1.orig.tar.gz
  to pool/main/f/fetchmail/fetchmail_6.3.1.orig.tar.gz
fetchmailconf_6.3.1-1_all.deb
  to pool/main/f/fetchmail/fetchmailconf_6.3.1-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 345944@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hector Garcia <hector@debian.org> (supplier of updated fetchmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 13 Jan 2006 12:01:10 +0100
Source: fetchmail
Binary: fetchmailconf fetchmail
Architecture: source i386 all
Version: 6.3.1-1
Distribution: unstable
Urgency: low
Maintainer: Fetchmail Maintainers <pkg-fetchmail-maint@lists.alioth.debian.org>
Changed-By: Hector Garcia <hector@debian.org>
Description: 
 fetchmail  - SSL enabled POP3, APOP, IMAP mail gatherer/forwarder
 fetchmailconf - fetchmail configurator
Closes: 156094 207919 212240 213299 213484 218040 224564 229014 230615 241883 242384 244828 276044 276424 277324 296163 298557 301348 301964 304701 304701 316446 316454 317761 320645 323028 327250 329975 338007 340630 344582 345263 345944
Changes: 
 fetchmail (6.3.1-1) unstable; urgency=low
 .
   [ Nico Golde ]
   * New upstream release
     - Fixed tracepolls problem for 2nd user in skip stanza (Closes: #156094).
     - Corrected global option descriptions in manpage (Closes: #241883).
     - Progress dots will appear now (Closes: #298557).
     - Fixed manpage typos (Closes: #323028).
     - Fixed character encoding of fetchmail daemon (Closes: #277324).
     - Fixed broken subjects in notification mails (Closes: #301348)
     - uidl usage is not switched on by default anymore (Closes: #304701).
     - Security fix. CVE-2005-4348 (Closes: #345944).
     - Ipv6 is now enabled by default (Closes: #345263, #329975).
   * Removed de.po fix because upstream included it.
   * Added Homepage tag to control file.
   * Update manpage patch to current version.
   * Removed flex and bison from build depends, they are no longer needed.
   * Fetchmail now uses gettext.
   * Removed --enable-ipv6 (its default now) and --enable-netsec cause
     it is no longer working.
   * Added call to make update-gmo to fix localisation problems (Closes: #340630).
   * Updated copyright file.
   * Removed Loïc Minier from uploaders.
   * Added fetchmail-ssl removal to NEWS file.
   * Removed xutils dependency because makedepend is not necessary since 6.3.0.
   * Moved fetchmail home directory to /var/lib/fetchmail (Closes: #327250).
   * Removed NEWS.truncated file from installation and replaced with OLDNEWS.
 .
   [ Hector Garcia ]
   * Remove man1 from mandir on install time. (change on the packaging).
   * Added myself to uploaders.
   * Added patch to fix warning on fetchmail man page. Should submit upstream.
   * Included gettext on build-depend.
   * Included patch to update es.po. Already sended patch to usual translator.
   * Added /etc/default/fetchmail to define when to start fetchmail or not
     (Closes: #344582, #218040, #276044).
   * Added NEWS.Debian to explain above.
   * Made changes on control file to delete properly old fetchmail-ssl. I must
     ask ftpmaster to delete it from archive.
   * Removed depend on base-files (>= 2.2.0). Woody was released with 3.0.2
   * Fixed a problem on debian/rules that was forcing configure to be called twice.
   * Changed UIDL file to /var/lib/fetchmail/.fetchmail-UIDL-cache since now
     upstream needs to write more files on same dir, hence /var/mail it is not
     suitable.
   * Added python to build-depends.
 .
 fetchmail (6.3.0-1) unstable; urgency=low
 .
   * New upstream release.
     - Security fix. CVE-2005-2335 and CVE-2005-3088
     - Drop support for OS not conforming to the Single Unix Specification v2
       or v3 (aka IEEE Std 1003.1-2001).
     - Default for --smtphost is now always "localhost".
     - Force fetchsizelimit to 1 for APOP and RPOP.
     - Patch, to use a NULL envelope from, not write a Return-Path header (both to
       meet RFC-2821), changed From, added Subject header, rewording the human
       readable part.  (Closes: #316446).
     - Patch to avoid a segfault in multidrop/received mode when the
       Received: headers are malformatted.
     - MIME-encode bodies and Subject headers of warning messages, limiting
       the header to 7 bits.
     - Normalize most locale codesets to IANA codesets.
     - Nico Golde's patch to support "proto RPOP" in the configuration file,
       reported. (Closes: #242384)
     - Added Russian translation.
     - Dropped da=Danish, el=Greek and tr=Turkish translations which have more
       than 10% (61+) untranslated or fuzzy messages.
     - Major fetchmail(1) manual page overhaul.
     - Fix fetchmail leaks sockets when SSL negotiation fails.
       (Closes: #301964).
     - Really fix (garbage in Received: lines when smtphostset).
       (Closes: #207919).
     - When writing the PID file, write a FHS 2.3 compliant PID file.
       (Closes: #230615).
     - Make ODMR really silent, suppress "fetchmail: receiving message data".
      (Closes: #296163).
     - Add From: header to warning emails. (Closes: #244828).
     - Fix IMAP code to use password of arbitrary length from configuration
       file (although not when read interactively). (Closes: #276424).
     - Document that fetchmail may automatically enable UIDL option.
       (Closes: #304701).
     - Put *BOLD* text into the manual page near --mda to state unmistakably
       that the --mda %T and %F substitutions add single quotes, hoping to avoid
       bogus bug reports. (Closes: #224564).
     - gettext (intl/) has been removed from the fetchmail package.
     - Use of automake.
     - Rename fetchmailconf to fetchmailconf.py. Created a /bin/sh wrapper.
     - New dummy fetchmailconf manual page.
     - fetchmailconf redirects fetchmail's input from /dev/null so it doesn't
       wait for the user to enter a password when the user doesn't even see the prompt.
     - Write RFC-compliant BSMTP envelopes.
     - Received: headers now enclose the for <...> destination address in angle
       brackets for consistency with Postfix.
     - Delete oversized messages with the new --limitflush option.
       (Closes: #212240).
     - Add full support for --service option.
     - Make "envelope 'Delivered-To'" work with dropdelivered.
     - fetchmail should now automatically detect if OpenSSL requires -ldl
     - Missed --port/--service/--ssl cleanups in the manual.
     - Properly shut down SSL connections.
     - Add support for SubjectAltName (RFC-2595 or 2818), to avoid bogus certificate
       mismatch errors. Patch by Roland Stigge, Debian Bug#201113. (MA)
     - make fetchmail --silent --quit really silent. (Closes: #229014)
     - Exit with error if the lock file cannot be read.
     - Do not break some other process's lockfile in "-q" mode, but wait for
       the other process's exit.
     - Man page: --sslfingerprint points user to x509(1ssl) and gives an
          example how to use it. (Closes: #213484)
     - Try to obtain FQDN as our own host by default, rather than using
      "localhost". If hostname cannot be qualified, complain noisily and continue,
       unless Kerberos, ODMR or ETRN are used (these require a FQDN).
       Partial fix of Debian Bug#150137. (Closes: #316454).
     - fetchmailconf now sets the service properly after autoprobe.
       (Closes: #320645).
     - When eating IMAP message trailer, don't see any line containing "OK"
       as the end of the trailer, but wait for the proper tagged OK line. To work
       around the qmail + Courier-IMAP problem in Debian. (Closes: #338007).
     - Fixes: when trying to send a bounce message, don't bail out if we cannot
       qualify our own hostname, so we aren't losing the bounce. Instead, pass the
       buck on to the SMTP server and use our own unqualified hostname.
       (Closes: #317761)
     - Updated translations: Albanian [sq] (Besnik Bleta), Catalan [ca] (Ernest
       Adrogué Calveras), Czech [cs] (Miloslav Trmac), German [de] (MA),
       Spanish (Castilian) [es] (Javier Kohen), French [fr] (MA),
       Polish [pl] (Jakub Bogusz), Russian [ru] (Pavel Maryanov).
     - In oversized warning messages, print the account name, too.
       (Closes: #213299).
   * Remove man1 from mandir on install time. (change on the packaging).
   * Deleted es.po patch. Included upstream. Updated 00list.
   * Added myself to uploaders.
   * Added patch to fix warning on fetchmail man page. Should submit upstream.
Files: 
 07169cd69d58bcd10087b97c9e5f797a 747 mail optional fetchmail_6.3.1-1.dsc
 8d77911b29439f773d3bc30604e6ff23 1236186 mail optional fetchmail_6.3.1.orig.tar.gz
 099478927d3ba81a0e79ac49e1c80dde 43504 mail optional fetchmail_6.3.1-1.diff.gz
 76cb698468e1cc6529a14ea6a9ad3fc4 32826 mail optional fetchmailconf_6.3.1-1_all.deb
 0b88a8e2489e6b837a46b96cbd8e5719 558832 mail optional fetchmail_6.3.1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDx44rMwsDi2xjdG0RAv+LAJ9EFo+LO6htPhkGsBNH1X5MxluhGwCgjCSX
mDk072shb7L5AmBFflxrZuQ=
=QALn
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 05:37:54 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 02:54:01 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.